Pages

Monday, 10 August 2015

Difference between IDP initiated SSO and SP initiated SSO

Difference between IDP initiated SSO and SP initiated SSO

In IDP Init SSO (Unsolicited Web SSO) the Federation process is initiated by the IDP sending an unsolicited SAML Response to the SP. In SP-Init, the SP generates an AuthnRequest that is sent to the IDP as the first step in the Federation process and the IDP then responds with a SAML Response

IDP Initiated SSO


  1. A user has logged on to the IdP.
  2. The user requests access to a protected SP resource. The user is not logged on to the SP site.
  3. Optionally, the IdP retrieves attributes from the user data store.
  4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.


SP Initiated SSO


  1. The user requests access to a protected SP resource. The request is redirected to the federation server to handle authentication.
  2. The federation server sends an HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IdP’s SSO service.
  3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.
  4. Additional information about the user may be retrieved from the user data store for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP)
  5. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.


Example (SP Initiated SSO)

This first example describes an SP-initiated SSO exchange. In such an exchange, the user attempts to access a resource on the SP, sp.example.com. However they do not have a current logon session on this site and their federated identity is managed by their IdP, idp.example.org. They are sent to the IdP to log on and the IdP provides a SAML web SSO assertion for the user's federated identity back to the SP.

For this specific use case, the HTTP Redirect Binding is used to deliver the SAML <AuthnRequest> message to the IdP and the HTTP POST Binding is used to return the SAML <Response> message containing the assertion to the SP.


Bellow Figure  illustrates the message flow.



The processing is as follows:

1-The user attempts to access a resource on sp.example.com. The user does not have a valid logon session (i.e. security context) on this site. The SP saves the requested resource URL in local state information that can be saved across the web SSO exchange.

2-The SP sends an HTTP redirect response to the browser (HTTP status 302 or 303). The Location HTTP header contains the destination URI of the Sign-On Service at the identity provider together with an <AuthnRequest> message encoded as a URL query variable named SAMLRequest.

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="1">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>

The query string is encoded using the DEFLATE encoding. The browser processes the redirect response and issues an HTTP GET request to the IdP's Single Sign-On Service with the SAMLRequest query parameter. The local state information (or a reference to it) is also included in the HTTP response encoded in a RelayState query string parameter.

https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request&RelayState=token

3-The Single Sign-On Service determines whether the user has an existing logon security context at the identity provider that meets the default or requested (in the <AuthnRequest>) authentication policy requirements. If not, the IdP interacts with the browser to challenge the user to provide valid credentials.

4-The user provides valid credentials and a local logon security context is created for the user at the IdP.

5-The IdP Single Sign-On Service builds a SAML assertion representing the user's logon security context. Since a POST binding is going to be used, the assertion is digitally signed and then placed within a SAML <Response> message. The <Response> message is then placed within an HTML FORM as a hidden form control named SAMLResponse. If the IdP received a RelayState value from the SP, it must return it unmodified to the SP in a hidden form control named RelayState. The Single Sign-On Service sends the HTML form back to the browser in the HTTP response. For ease of use purposes, the HTML FORM typically will be accompanied by script code that will automatically post the form to the destination site.

<form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLResponse" value="response" />
<input type="hidden" name="RelayState" value="token" />
...
<input type="submit" value="Submit" />
</form>

The value of the SAMLResponse parameter is the base64 encoding of the following
<samlp:Response> element:


<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z"
Destination="https://sp.example.com/SAML2/SSO/POST">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_3"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<!-- a POSTed assertion MUST be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="identifier_1"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05Z"
NotOnOrAfter="2004-12-05T09:27:05Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00Z"
SessionIndex="identifier_3">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

6-The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the SP's Assertion Consumer Service.

POST /SAML2/SSO/POST HTTP/1.1
Host: sp.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLResponse=response&RelayState=token

where the values of the SAMLResponse and RelayState parameters are taken from the HTML form of Step 5.

The service provider's Assertion Consumer Service obtains the <Response> message from the HTML FORM for processing. The digital signature on the SAML assertion must first be validated and then the assertion contents are processed in order to create a local logon security context for the user at the SP. Once this completes, the SP retrieves the local state information indicated by the RelayState data to recall the originally-requested resource URL. It then sends an HTTP redirect response to the browser directing it to access the originally requested resource (not shown).

7-An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser.

Example (IDP Initiated SSO)

In addition to supporting the new SP-Initiated web SSO use cases, SAML v2 continues to support the IdP-initiated web SSO use cases originally supported by SAML v1. In an IdP-initiated use case, the identity provider is configured with specialized links that refer to the desired service providers. These links actually refer to the local IdP's Single Sign-On Service and pass parameters to the service identifying the remote SP. So instead of visiting the SP directly, the user accesses the IdP site and clicks on one of the links to gain access to the remote SP. This triggers the creation of a SAML assertion that, in this example, will be transported to the service provider using the HTTP POST binding.

Bellow Figure  shows the process flow for an IdP-initiated web SSO exchange.



The processing is as follows:

1-If the user does not have a valid local security context at the IdP, at some point the user will be challenged to supply their credentials to the IdP site, idp.example.org.

2-The user provides valid credentials and a local logon security context is created for the user at the IdP.

3-The user selects a menu option or link on the IdP to request access to an SP web site, sp.example.com. This causes the IdP's Single Sign-On Service to be called.

4-The Single Sign-On Service builds a SAML assertion representing the user's logon security context. Since a POST binding is going to be used, the assertion is digitally signed before it is placed within a SAML <Response> message. The <Response> message is then placed within an HTML FORM as a hidden form control named SAMLResponse. (If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP is also encoded into the form using a hidden form control named RelayState.) The Single Sign-On Service sends the HTML form back to the browser in the HTTP response. For ease-of-use purposes, the HTML FORM typically will contain script code that will automatically post the form to the destination site.

5-The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the SP's Assertion Consumer Service. The service provider's Assertion Consumer Service obtains the <Response> message from the HTML FORM for processing. The digital signature on the SAML assertion must first be validated and then the assertion contents are processed in order to create a local logon security context for the user at the SP. Once this completes, the SP retrieves the RelayState data (if any) to determine the desired application resource URL and sends an HTTP redirect response to the browser directing it to access the requested resource (not shown).

6-An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser.











Wednesday, 21 January 2015

Connect the WSO2 Product to an External LDAP User Store


Here i would like to share that how to connect WSO2 product with LDAP user store ,I explaining with the API manager


STEP 1 : Logging to https://localhost:9443/carbon
STEP 2: Select the user store adding option as follows


STEP 3 : fill the  UI with connection details (LDAP Configuration)



Sample XML file of above configuration as follows

<?xml version="1.0" encoding="UTF-8"?><UserStoreManager     class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
  <Property name="ConnectionName">cn=admin,dc=ds,dc=sample,dc=com</Property>
  <Property name="ConnectionURL">ldap://192.168.1.1:389</Property>
  <Property name="ConnectionPassword">XXXX</Property>
  <Property name="UserSearchBase">ou=People,dc=prime,dc=ds,dc=sample,dc=com</Property>
  <Property name="Disabled">false</Property>
  <Property name="UserNameListFilter">(objectClass=inetOrgPerson)</Property>
  <Property name="UserNameAttribute">uid</Property>
  <Property name="UserNameSearchFilter">(&amp;(objectClass=inetOrgPerson)(uid=?))</Property>
  <Property name="UserEntryObjectClass">inetOrgPerson</Property>
  <Property name="GroupEntryObjectClass">organizationalUnit</Property>
  <Property name="ReadGroups">false</Property>
  <Property name="GroupSearchBase">ou=People,dc=prime,dc=ds,dc=sample,dc=com</Property>
  <Property name="GroupNameAttribute">uid</Property>
  <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
  <Property name="MembershipAttribute">member</Property>
  <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(ou=?))</Property>
  <Property name="MaxUserNameListLength">100</Property>
  <Property name="MaxRoleNameListLength">100</Property>
  <Property name="UserRolesCacheEnabled">true</Property>
  <Property name="SCIMEnabled">false</Property>
  <Property name="PasswordHashMethod">SHA</Property>
  <Property name="UserDNPattern">uid={0},ou=People,dc=prime,dc=ds,dc=sample,dc=com</Property>
  <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
  <Property name="UserNameJavaScriptRegEx">^[\S]{3,30}$</Property>
  <Property name="UserNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
  <Property name="RoleNameJavaScriptRegEx">^[\S]{3,30}$</Property>
  <Property name="RoleNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
  <Property name="WriteGroups">true</Property>
  <Property name="EmptyRolesAllowed">true</Property>
  <Property name="DomainName">ldap</Property>
  <Property name="Description">ldap
        </Property>
</UserStoreManager>

Now API manger connected with LDAP  user store

Note :

Please ensure that you  filled the   'User DN Pattern ' field


Tuesday, 17 June 2014

Read Path Param in wso2 ESB 4.8.1

Read Path Param in wso2 ESB 4.8.1

We can read 'path' parameter in WSO2 ESB. To do so , we can use "uri-template" attribute  of  <resource> tag.

Suppose  we need  to read parameter from an API like "example.com/api/getStatus/{some category}/{some id}.json", So  we should  configure API in ESB as follows :

STEP 1:

Give the first static part of the URL as the 'context' of <api> tag

Example 

<api xmlns="http://ws.apache.org/ns/synapse" name="sample-API" context="/api/getStatus">

STEP 2:

Give the remains part of the URL as the  'uri-template' <resource> tag but dynamic value may write  inside {} brackets.

Example

 <resource methods="GET" uri-template="/{category}/{id}.json">

 How to read Parameter

We can read url path param by using the 'expression' of <property> tag. In <property> tag ,the variable name should same as  mentioned inside {} brackets in <resource> tag.

 Example

<property name="uri.var.category" expression="getproperty('uri.var.category')"></property>
  <property name="uri.var.id" expression="get-property('uri.var.id')"></property>

Wednesday, 21 May 2014

Set Json payload in WSO2 ESB 4.8 and 4.8.1


Here i would like to share that how to set dynamic json payload in WSO2 ESB 4.8 and 4.8.1

We can use  'json' media-type property of 'payloadFactory' mediator to do that.

SAMPLE API 

In this API  accepts post request including user and pwd body parameters

 <api xmlns="http://ws.apache.org/ns/synapse" name="test-API" context="/api/test.json">
   <resource methods="POST">
      <inSequence>
         <payloadFactory media-type="json">
            <format>
{"username":"$1","pwd":"$2"}
</format>
            <args>
               <arg evaluator="json" expression="$.user"></arg>
               <arg evaluator="json" expression="$.pwd"></arg>            
            </args>
         </payloadFactory>
         <log level="full"></log>
         <send>
            <endpoint>
               <http method="POST" uri-template="http://example.com/test/enpoint"></http>
            </endpoint>
         </send>
      </inSequence>
   </resource>
</api>

Monday, 17 March 2014

Insert CSV data to Database using Kettle


Here i would like to share that how to insert csv file's data to database by the help of Kettle .Refer

Configure the environment

1 - Download kettle .click  here

2 - Start Spoon.bat

3 - Select  File ->New->Transformation

4 - Select Input option from left pane

5 - Chose CSV File Input

6 - Double click on CSV File Input and configure as follows


7 - Select Output option from left pane

8 Chose Table Output

9 - Double click on   Table Outputand configure as follows

* Add a Connection by clicking 'New'





        *Browse Table name
*Browse database feild option and Enter feild mapping

10 - Click OK to complete configuration

Now you can save and start the transformation


Friday, 7 March 2014

convert csv file to java object

Here i would like to share that how to convert a csv file to java object.

Records in  sample  csv


NPI
Fisrt Name
Middle Name
Last Name
Designation
1000
Ajmal
A
Abdullah
Software Engineer
2000
Jouhar
O
Oravingal
Software Engineer
3000
Eldho
J
John
Software Engineer

Professional.java


/**
 * 
 * @author Jamsheer T
 * 
 */

public class Professional {

String npi;
String name;
String mname;
String lname;
String desig;

public String getNpi() {
return npi;
}

public void setNpi(String npi) {
this.npi = npi;
}

public String getName() {
return name;
}

public void setName(String name) {
this.name = name;
}

public String getMname() {
return mname;
}

public void setMname(String mname) {
this.mname = mname;
}

public String getLname() {
return lname;
}

public void setLname(String lname) {
this.lname = lname;
}

public String getDesig() {
return desig;
}

public void setDesig(String desig) {
this.desig = desig;
}

}

CSVtoJava.java


import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;

/**
 *
 * @author Jamsheer T
 *
 */
public class CSVtoJava {

public void convertCsvToJava() {
Professional profObject = new Professional();
String csvFileToRead = "C:\\Users\\Jamsheer T\\Desktop\\csv\\prof.csv";
BufferedReader br = null;
String line = "";
String splitBy = ",";
boolean initial =true;

try {

br = new BufferedReader(new FileReader(csvFileToRead));
while ((line = br.readLine()) != null) {



// split on comma(',')
String[] details = line.split(splitBy);

// create car object to store values

// add values from csv to car object
profObject.setNpi(details[0]);
profObject.setName(details[1]);
profObject.setMname(details[2]);
profObject.setLname(details[3]);
profObject.setDesig(details[4]);

if(initial==true){
initial=false;
continue;
}
System.out.println("NPI :" + profObject.getNpi());
System.out.println("NAME :" + profObject.getName());
System.out.println("Designation :" + profObject.getDesig());
System.out.println("----------------------------------");

}

} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} finally {
if (br != null) {
try {
br.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}

}

}


Main.java


/**
 * 
 * @author Jamsheer T
 * 
 */

public class Main {

/**
* @param args
*/
public static void main(String[] args) {
// TODO Auto-generated method stub

CSVtoJava csvToJavaObject = new CSVtoJava();
csvToJavaObject.convertCsvToJava();
}

}

OUTPUT

NPI :1000
NAME :Ajmal
Designation :Software Engineer
----------------------------------
NPI :2000
NAME :Jouhar
Designation :Software Engineer

----------------------------------
NPI :3000
NAME :Eldho
Designation :Software Engineer

----------------------------------






Convert CSV File to JSON Object in JAVA


Here i would like to share that how to convert a csv file contents to JSON object  in JAVA

Included Libraries

<dependency>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
<version>1.3.4</version>
</dependency>

Sample Code


package com.test.csvtojson;

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.util.ArrayList;

import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;

/**
 *
 * @author Jamsheer T +91 9846716175
 */
public class CSVtoJson {

public static void main(String[] args) { int i; String line = ""; String fileToParse = "C:\\Users\\Jamsheer T\\Desktop\\csv\\ex.csv"; BufferedReader fileReader = null; boolean initial = true; ArrayList<String> header = new ArrayList<String>(); JSONObject record = new JSONObject(); try { fileReader = new BufferedReader(new FileReader(fileToParse)); while ((line = fileReader.readLine()) != null) { i = 0; String[] tokens = line.split(","); if (initial) { for (String token : tokens) { if (token.startsWith("\"")) { token = token.substring(1); } if (token.endsWith("\"")) { token = token.substring(0, token.length() - 1); } header.add(token); } initial = false; continue; } // Get all tokens available in line for (String token : tokens) { if (token.startsWith("\"")) { token = token.substring(1); } if (token.endsWith("\"")) { token = token.substring(0, token.length() - 1); } record.put(header.get(i).toString(), token); i++; if (i == header.size()) break; } System.out.println(record); } } catch (IOException e) { e.printStackTrace(); } catch (JSONException e) { e.printStackTrace(); } } }